I have 2 web aplications using AAD B2C single sign-on, the Mainsite.mydomain.com and support.provider.com (note that they are in different domains). My B2C has only local users, so no external IdP (e.g. Google, Facebooks, etc).
Single sign-on works as expected and the individual logout from each website works as expected.
Now I want Single Logout, i.e. when the users logout from the Mainsite I want them to be automatically logged out from the Support website, too. At logout from each app I do call the OIDC /logout endpoint to kill the B2C session as per the documentation, but that isn't enough to logout from the other application.
Reading the OIDC specs it seems there are 3 ways to have single-logoff, as described here, but none of them seem to be available for B2C:
- Front-end channel (it would require registering a Logout URL for each app, but B2C apps don't have this attribute)
- Back-end channel (it would require registering a Logout URL for each app, but B2C apps don't have this attribute)
- Session Management (this requires a check_session_iframe URL, which is not provided by the B2C /.well-known endpoint)
So it seems that none of the standard methods are supported by B2C, did anybody manage to figure out how to do it?
Note: There's another similar SO question here but the single response doesn't actually answer the question and the comments to it show that others couldn't do single logoff either. Even more, my case is even simpler as I don't have any external IdP.
